Back to list
IE 6.0 - trivial crash - part II
Apr 18 2003 08:19PM
Adam [ckkl] (ckkl poczta wp pl)
IE / Outlook / MS SHLWAPI Render - more trivial crash
Apr 21 2003 10:07PM
Ramon Pinuaga Cascales (rpinuaga s21sec com)
RE : IE / Outlook / MS SHLWAPI Render - more trivial crash
Apr 22 2003 08:29PM
Gervaize Maquard (freestyler tiscali fr)
RE: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash
Apr 29 2003 06:27PM
kajbaf (kajbaf cse shirazu ac ir)
Re: IE / Outlook / MS SHLWAPI Render - more trivial crash
Apr 23 2003 12:54PM
Berend-Jan Wever (SkyLined edup tudelft nl)
IE tries to compare the type of the input field to "HIDDEN", to see if it
should be rendered. When there is no type string, a null-pointer is used.
mshtml.dll calls shlwapi.dll#158 @ 0x636f0037 with a pointer to a static
unicode string "HIDDEN" and a null-pointer.
shlwapi.dll#158 does a case-insensitive comparison of two unicode strings:
it reads from address 0x0 because of the null-pointer and thus causes an
This is not exploitable, other then a DoS because there is no memory mapped
@ 0x0 and even if you could load something there, you could only compare it
to "HIDDEN" which gets you nowhere.
----- Original Message -----
From: "Gervaize Maquard" <freestyler (at) tiscali (dot) fr [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Tuesday, April 22, 2003 22:29
Subject: RE : IE / Outlook / MS SHLWAPI Render - more trivial crash
> Original message :
> >Well, as it seems that is the Microsoft Crash mounth, let see another
> ><input type crash>
> >This will crash IE with the following error:
> >"Unhandled exception in iexplore.exe (SHLWAPI.DLL): 0xC0000005: Access
> >It's a null pointer overwrite, so it's not easly exploitable...
> >This HTML also crash Outlook, Frontpage, and all the Microsoft programs
> that >use the shlwapi.dll library to render web code.
> >Plain HTML is a dangerous language :)
> Added :
> It also seems to crash explorer.exe when the .html file containing the
> code is copied into any folder !!
> It may work since windows is trying to create a view in Windows
> explorer. Indeed, it doesn't work when the file is copied in the
> Tested on Windows XP with Office XP.
[ reply ]
Copyright 2010, SecurityFocus